On Fri, 22 Jun 2012, Mann, Dave wrote:
: >editorial-board-list@lists.mitre.org] On Behalf Of Adam Shostack
: >I'm not sure which of these approaches would work best. Are there
: >other non-product-cetric issues that folks have encountered? Perhaps
: >with more samples, we can find a category.
:
: It bears reiterating that there are (at least) 2 dimensions to this problem:
: + What is important to cover
: + How do we describe what we will and won't cover
+ How do we actually cover it if the list is big
: We are moving into a time in which we must accept that CVE can no longer
: aspire to provide ID coverage for the global software market.
I don't recall it coming up during this thread, but perhaps before I
joined. Have we discussed the idea of creating more CNAs?
As one example, ZDI releases a sizable number of advisories, yet they are
not a CNA. Since they typically release in products that will make the
list most of you want, and they currently run into communication problems
with vendors, they should be a CNA in my eyes. Even if they get a pool of
100 IDs a year, that is all they need.
Now, think about a few dozen like that. Not only are they helping CVE, but
potentially expanding coverage. Looking to JP-CERT or more non-US bodies
that handle vulnerabilities could turn into a great asset to CVE.
I know I am an idealist in the land of VDBs often times, but if this
hasn't been explored, I think it is worth discussing.